Microsoft study debunks phishing profitability

Summary:Do phishers actually make money, or is phishing an unprofitable business, scammers lose time and resources into? Taking the economic approach of generalizing how much money phishers make, a recently released study by Microsoft researchers Cormac Herley and Dinei Florencio (A Profitless Endeavor: Phishing as Tragedy of the Commons), states that phishing isn't as profitable as originally thought.

Do phishers actually make money, or is phishing an unprofitable business, scammers lose time and resources into? Taking the economic approach of generalizing how much money phishers make, a recently released study by Microsoft researchers Cormac Herley and Dinei Florencio (A Profitless Endeavor: Phishing as Tragedy of the Commons), states that phishing isn't as profitable as originally thought.

Citing a 1968 published article "Tragedy of the Commons" the researchers argue that due to the fact that so many phishers operate on the same scam-scene, they earn less than the could possibly do. Moreover, according to the research the enormous volume of phishing emails is in fact an indication of the failure of phishing. Naturally, they are many more factors to consider, in particular, are phishers in fact profit-maximization machines or are they willing to sacrifice potential profit for the sake of their own security? Is it all about making big money, or about breaking-even in general?

"However, as we will show, the economics of phishing are far far worse than this. Rather than sharing a fixed pool of dollars phishing is subject to the tragedy of the commons ; i.e. the pool of dollars shrinks as a result of the efforts of the phishers. A community (all phishers) share a finite resource (the pool of phishable dollars) that has limited ability to regenerate (dollars once phished are not available to other phishers). The tragedy of the commons is that the rational course of action for each individual (phisher) leads to over-exploitation and degradation of the resource (the phishable dollars)."

Using the Tragedy of the Commons analogy in this case makes it sound as every phished person's disposable income to which phishers would eventually have access to is universally the same. Logically, that's not the case, since a single phished person could prove to be a more profitable catch for a phisher than a hundred phished people, and the number of potentially phishable people is always increasing with more people going online.

Moreover, perhaps not so economic models minded phishers are constantly looking for ways to achieve better efficiency, lower costs, and ways to eat other phishers lunch - by scamming their fellow colleagues. For instance, a related research published in August, 2008, found evidence that phishers are in fact backdooring phishing pages and then distributing them for free so that they can have other phishers do the scam for them. The same backdooring process, even though no properly analyzed in a study, continues to take place at a more advanced and far more profitable level - backdooring web malware exploitation kits and botnet command and control interfaces. Therefore, of the hundred actively participating phishers, eighty could be easily phishing for the other twenty.

There are even more variables to consider. Take internal competition among different phishers. Just because a phisher has just sent a million phishing emails pretending to be from a leading German bank to a million Chinese users, perhaps not knowing that the spamming database he's using belongs to Chinese citizens, doesn't mean that the outcome of his campaign would be similar to a fellow phisher that's taken basic localization and targeting steps into account. With localization of cybecrime taking place as of early 2008, outsourcing the translation process of a particular phishing campaign/email is opening up an entire new space for phishers to more effectively target potential victims. The bottom line here is that the second phisher has a higher chance for success even though they're attempting to phish the same Chinese users, since he'd be impersonating a local bank and his phishing creatives would be speaking native language.

This is where efficiency and scalability comes into play, a situation pretty similar to that of spam. As long as even a small number of people out of a million phishing emails sent become victims, the phishers would break-even and thus, continue expanding the number of emails sent. This shouldn't be taken as a failure of phishing in general, instead, it should be considered as a campaign optimization practice attempting to achieve better results by targeting a larger population.

Quality assurance is yet another differentiation factor distinguishing the sophisticated phisher from the novice one, who will never get close to the potential market share the sophisticated one is aiming at. Just because all phishers have access to the same quality fakes of legitimate banks, and DIY phishing tools assisting them in redirecting accounting data to a single domain, doesn't mean that all of them will make the same impact. The experienced ones would achieve a higher average online time for their phishing domains, and would apply better targeting and localization tactics due to the fact that spammers, phishers and malware authors are consolidating and vertically integrating to cut costs and achieve scalability. Phishing may be described as a low-skill, low-reward job in the study, but just like every cybercrime practice the "knowledge workers" in the phishing ecosystem are those getting most of financial rewards, with the rest basically generating noise and in fact often getting busted due to their inexperience, acting as a human shield for the sophisticated phishers.

There's another issue to consider and that is how much money is a phisher actually looking to make out of his phishing campaigns, and is there in fact a maximum or a minimum to his ambitions? Even though access to someone's account is obtained, is the phisher actually able to withdraw the money from the account, or is he in fact going to be making money from selling access to the phished account to someone who can do it, thus, monetizing the accounting data instead of using it? Evidence gathered on this practice clearly indicates that novice phishers may in fact never obtain any of the money that they have access it, but again make money out of selling the access to a particular account to those who can.

Phishers may not be making the money that they used to a couple of years ago, but then again phishing has long stopped being an exclusive cybercrime practice - it's turned into a cybercrime practice "in between" with the phishers breaking-even given the lowering costs and entry barriers into the phishing space in general. And as long as they break-even, millions of phishing emails would continue circulating, again "in between" the rest of their malicious activities.

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community...
Full Bio